Internet Access Considerations
Applies To: Windows Server 2008, Windows Server 2008 R2
As more users become mobile, whether working from home or requiring access to company resources from other external computers, access to protected documents via the Internet often becomes a necessity.
In order to enable consumption of AD RMS protected content via the Internet, the AD RMS infrastructure must provide at least one of two capabilities:
Pre-licensing of content - Pre-licensing consists of the issuance of the necessary end-user license to consume content when the file is distributed the user. Microsoft Exchange 2007 SP1 provides this capability, by acquiring end-user licenses prior to the users’ request. This normally occurs when the end user initiates access to the protected message or to a protected file attached to an unprotected message (when a message is passed to the Exchange Hub Transport servers). When the user receives the protected content (which can be email messages, or files attached to the messages), an end-user license to consume the content is delivered along with it. When the user opens the content, no licensing operation is necessary, and the file can be consumed off line.
Access to the AD RMS licensing services via the Internet - If a user receives protected content that has not been pre-licensed, the user must contact the licensing services in order to acquire a license for the protected content. This implies that the RMS client communicates with the cluster that issued the publishing license across any firewall between the licensing servers and the client. This is normally not a problem, since communication between the client and the licensing servers is done through ports 80 (HTTP) and 443 (HTTPS), which are widely accepted for publishing services to the Internet. Additionally, the licensing servers must be able to access the database servers and the directory servers, which are accessed through a more extensive set of protocols and ports.
In the pre-licensing case, the AD RMS servers can be installed away from Internet accessible networks, as they need to be reached only from the Exchange Hub Transport servers. Nevertheless, it is unlikely that this will suffice in most scenarios, as documents not pre-licensed (such as those downloaded from an Intranet site to be opened when the user is no longer in the internal network) will require contact to the licensing servers at the time of opening. Thus, for most scenarios, providing access to the licensing servers from the Internet becomes necessary.
There are four basic architectures that provide access to the licensing servers from the Internet:
Host all of the AD RMS servers (root and licensing-only servers) in a perimeter network and configure them to access the directory services servers, which are hosted in the core network.
Host an AD RMS licensing-only cluster in a perimeter network and configure it to access the directory services servers and the AD RMS root server, which are hosted in the core network.
Host AD RMS servers, along with domain controllers to service them, in a perimeter network.
Host all of the AD RMS servers in the core network and publish them to the Internet by means of a reverse proxy, using a product such as Internet Security and Acceleration (ISA) Server.
The four architectures are discussed in detail in the following sections.